Policy for Password Changes

This section explains the policy attributes that govern changes to passwords.

In many deployments, Directory Server is the repository for identity
data. Users should be able to change their own passwords, as specified by pwdAllowUserChange(5dsat), so you do not have to change the passwords.

After you allow users to change their own passwords, you might also
want to control the circumstances under which users can change their passwords.
You can use pwdSafeModify(5dsat) to specify that users who change a password must provide
the correct existing password before they are allowed to replace the password.
See Modifying Passwords From the Command Line When pwdSafeModify Is TRUE for an example of how to modify the
password. You can prevent users from reusing passwords by using pwdInHistory(5dsat) to specify how many passwords Directory Server remembers.
You can also prevent users from changing their passwords too often by setting pwdMinAge(5dsat).

In many cases either you as administrator or some application that you
manage creates user entries in the directory. You can assign a user password
value to change when the user first binds to the new account. You might also
have to reset a user password, after which the user should change the password
when next using the account. Directory Server has a specific attribute, pwdMustChange(5dsat), that you can use to indicate whether a user must
change passwords after the password value is reset by another user.